HashiDays One conference. Three cities. Find a city near you
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Configure Vault Radar permissions

Vault Radar is initially configured by a user with the HCP IAM admin role. Any HCP IAM user with the admin role can perform all functions within Vault Radar such as add a data source, trigger an on-demand scan, view events, and edit event remediation state.

Any HCP IAM user who does not have the HCP admin role must be added to an HCP IAM group, the group must belong to the project Vault Radar is configured in, and the group must be assigned to one or more data sources.

Vault Radar supports both organization and project level users in the HCP Portal, and service principals for the Vault Radar CLI. We recommend assigning permissions at the project level following the least privileged access model.

Add a user for Vault Radar

Note

If a user has been assigned the HCP IAM admin role, they do not need to be added to a group to access Vault Radar.

  1. Determine which RBAC role the user will require by referencing the HCP Vault Radar permissions in the table below:

    Vault Radar permissionsDeveloper - viewerDeveloper - contributorViewerContributorAdmin
    View events✅ (assigned repos only)✅ (assigned repos only)
    Edit event remediation state
    Add or manage data sources
    Add or manage filters
    Add or manage event rules
    Add or manage custom expressions
    Add or manage ignore rules
    Configure PR checks policies
    Trigger on-demand scans

  2. Verify or create an HCP IAM group with the desired role.

  3. Invite the user from the parent organizations IAM dashboard.

  4. When the user accepts the invitation (and if necessary signs up for HCP), assign the user a project level HCP IAM role.

  5. Add the user to the project with the desired level of access.

Additional information

Refer to the Users page to learn how to invite users and assign roles.

Assign Resource to Developer Role Groups

The Vault Radar Developer Role does not have any permissions by default and you must have an HCP IAM Group created. They need to be assigned to specific resources by a Project Admin within the Vault Radar UI. To assign resources to the HCP Group:

  1. Go to the Vault Radar portal.

  2. Select /Resources.

  3. Select the resources to be assgined.

    Select resource to assign to group

  4. Click Assign Groups.

  5. Select the Group.

    Select group to assign

  6. Select Viewer or Contributor type.

  7. Click OK.

    View resource to assign to group

The developer can now access Vault Radar Event page so see the findings assign to their group.

Assign Resource to Developer Role Groups

To remove a resource to a group.

  1. Go to the Vault Radar portal.

  2. Select /Resources.

  3. Click on the resource.

  4. Click on the trash icon next to the group name.

    Remove resource to assign to group

Note

The resource is now removed from that HCP Group and individuals within that group will no longer be able to see it in the Vault Radar Portal.